Illinois unemployment benefits stolen as state fails to implement basic security

The Illinois Department of Employment Security troubles included scores of unemployed unable to get benefits, nearly 32,500 Social Security numbers exposed and now benefits theft. A simple fix used by many online retailers could have prevented the thefts.

Most Illinoisans have seen online retailers and social media platforms use a simple text or email to prevent fraud, but the Illinois Department of Employment Security doesn’t use it and workers idled during the COVID-19 pandemic have seen benefits stolen from their state accounts.

Two-factor authentication could prevent the recent wave of scammers by sending an email or text when there is a change to account information. William Kresse, a fraud expert at Governors State University, told ABC 7 News he was surprised IDES did not use two-factor authentication, which he called “commonplace” across online platforms.

“In general, whenever an entity is getting a request to change the routing of funds, they should definitely verify the authenticity of that request, and the easiest, cheapest way of doing it is through two-factor authentication,” Kresse said.

The FBI put out a warning to Illinoisans last week about the ongoing scheme, adding it has received thousands of reports and complaints from Illinoisans who have been affected. It also warned the thefts could complicate their federal income taxes.

The FBI said scammers are using people’s names and personal information to apply for unemployment benefits through IDES. Once the benefits are approved, the scammers exploit IDES’ security flaws to hijack recipient accounts and request the money be sent to another account.

“This is a terrible scheme because it’s affecting not just a few people locally, it’s affecting a large group of people here in Chicago and across the nation,” FBI Special Agent Siobhan Johnson told ABC 7 News.

Scam victims such as Russel McFeely, who lost $1,800 after his account was hijacked, never had the chance to add a layer of security to their IDES account. “It never gives you the opportunity to put in a [number] where you can get an SMS text,” McFeely told ABC 7 News.

Although IDES said it will investigate the fraud, that can take months as bank records are subpoenaed and as they work through a backlog of fraud cases. If fraud is detected, the idled, scammed worker will have their benefits replaced. Fraud can be reported to IDES at 800-814-0513 or to the FBI at 800-225-5324.

This security flaw and hijacking scheme follows a series of other recent missteps by IDES.

In April, the state awarded Deloitte a $22 million no-bid contract to build the new and updated Pandemic Unemployment Assistance claims system for IDES, as well as manage a call center, amid the tidal wave of claims following the state’s COVID-19 lockdowns. After IDES’s new system came online in May, it suffered a data breach first discovered by an applicant – accidentally publishing the private information of nearly 32,500 Illinoisans who applied for benefits. Identity theft related to that breach is the subject of a lawsuit.

IDES also has a long history of operational and fiscal bungling, failing to recover $115 million in erroneous payments last year and $450 million between 2012 and 2016. Audits have repeatedly found mismanagement, including allowing claims to go unanswered for more than two months.

Two-factor authorization is a basic security measure. IDES owes that protection, as well as swift reimbursement of stolen funds, to the unemployed Illinoisans forced to trust the state to properly handle their sensitive personal information.